Why NAT and IPsec Don't Like Each Other [Updated 4.29.2005]

====================== DISCLAIMER ====================
This posting is provided "AS IS" with no warranties, and confers no rights.

If you have ever ready articles on IPsec or NAT (Network Address Translators) and heard that IPsec can’t be used with NAT but were never told specifically why, then this post is for you.

Why NAT is A Problem for IPsec
As you might recall, IPsec (whether AH or ESP) uses a cryptographic hash value [called the Integrity Check Value (ICV) or the has-based message authentication code (HMAC)]. This has is used by the IPsec end points for data integrity. The end point runs its own has on the some of the parts of the IP packet it receives (it can do this because the end points both know the symmetric key) it then compares the has it received with the has it just created. If they are not the exact same, IPsec drops the IP packet and goes on with its life (it will generate an event if IPsec auditing is configured).

=== The paragraph below was updated 4.29.2006 ===

The problem with NAT is that this hash includes the IP addresses (in AH) and the ports used (in ESP). This means when NAT changes the IP addresses or ports in the IP header, it cannot re-calculate the hash because it is not knowledgeable about the key. IPsec will see that the hash value in the packet does not match the one it calculates and IPsec drops the packets. In ESP the NAT device cannot access and change the port information inside the encrypted TCP headers of the packets.